A critical vulnerability in Cisco's Secure Firewall Management Center Software, identified as CVE-2026-20131, was exploited by the Interlock ransomware group as a zero-day attack, weeks before a patch was released1. This remotely exploitable deserialization flaw had a maximum CVSS score of 10, indicating a high level of severity. The vulnerability was patched by Cisco on March 4, as part of its semiannual firewall update, but not before the Interlock group had already begun exploiting it. The fact that a prominent ransomware group was able to exploit this vulnerability before a patch was available highlights the importance of prompt patching and vigilance. This incident underscores the need for security teams to prioritize patching critical vulnerabilities, especially those with high CVSS scores, to prevent similar exploits. The exploitation of this vulnerability by a major ransomware group makes it a patch-now situation for security practitioners.
Ransomware group exploited Cisco firewall vulnerability as a zero day, weeks before a patch appeared
⚠️ Critical Alert
Why This Matters
CVE-2026-20131 is in active discussion involving Amazon — exploitation status determines whether this is patch-now or monitor.
References
- CSO Online. (2026, March 19). Ransomware group exploited Cisco firewall vulnerability as a zero day, weeks before a patch appeared. CSO Online. https://www.csoonline.com/article/4147770/ransomware-group-exploited-cisco-firewall-vulnerability-as-a-zero-day-weeks-before-a-patch-appeared.html
Original Source
CSO Online
Read original →